interviewBy Eugene Okumu
Kenya is firmly on the path to full digitization with a robust ICT sector that is ever growing. The current government has ambitious ICT-related plans that include a free laptop project for Standard-One-students in public Primary schools across the country, and an ICT-driven economy expected to attain double digit growth rate. With the growth of the sector however, the government and the society is faced with the gargantuan challenge of securing the ICT infrastructure from malicious infiltration both internal and external. Our reporter EUGENE OKUMU spoke to Evans Kahuthu, the Information Security Project Manager at the ICT Authority, on the government's plans to ensure a safe cyber environment for its citizens.
Q. Prior to the formulation and launch of the cyber security strategic plan in March this year and the anticipated release of the cyber security master plan in June, what was the status of ICT security in the country?
The Government of Kenya has had a lot of issues in terms of cyber security. A lot has to do with the fact that cyber security is a new concept. Kenya has a culture where we tend to be more reactive than proactive and that's a challenge across several sectors not just government. One of the things that happened with the acquisition of fiber optic is that Kenyans' mindset never shifted from the old connection to internet at present being like a superhighway.
With the old technology, when connecting to the internet, one computer would connect to several devices within an institution and within devices connected to one internet service provider. The process is called hopping and with old connections a computer would make several hops before one could get access. The delay period is called. The process has a direct correlation with hackers.
Hackers don't like a long latency which is slow connection. If one is trying to hack a bank and a connection takes five hours, by the time one is getting in, the bank might be closing.
With the arrival of fiber, distance became a thing of the past because fiber enables a direct connection and uses electromagnetic connection. So accessing a server in New Zealand is as quick as accessing a server in Kenya. And this makes it better for hackers because a target is not localized.
The government had been reluctant to continuously monitor its system prior to the prevalence of hacking. There was no structured approach to cyber security. With a plan in place you know how to protect the system.
Q. How does the ICT Authority plan to remedy this precarious situation that the country faces as fiber optic connection becomes more accessible?
The ICT authority has been working on a cyber security master plan in a process called a gap analysis. Through this process the authority took into consideration the ideal cyber security position as contained in international standard of operation (ISO) best practice certification, and compared that against the country's ICT security status. After the gap analysis, the authority considered a target state which is the best desired status of protection. This also has international benchmarks.
The master plan then informs institutions how to protect their ICT infrastructure. Around the world there is the cyber security master plan and the strategy. The master plan is supposed to be a country's plan of how to protect itself. If this lands in the wrong hands, security is compromised. But since public input is also necessary in formulation of a course of action, a strategy is what is shared which is high level. What the ICT Authority has done is come up with the strategy which will inform the master plan.
Moving forward, after the master plan is the implementation where we now need to secure the government in ICT related interactions. The whole idea is one can never be 100 per cent protected, but as an Authority we need to do mitigation which means an acceptable level of ICT systems infiltration. This is important so that even if we are hacked we can be up and running in the shortest time possible or minimize losses to the lowest possible level to ensure continuous provision of government services and operations. This presents a challenge especially with the advent of fiber optic and the ease of access to the internet in that attacks can come from anywhere in the world.
Q. In your experience, what would you say is the agenda of cyber-based attacks in Kenya?
Don't rule out espionage. If you look at some of these donor nations and their interest in Kenya, logistically it makes sense for them to know what is happening in Kenya good or bad seeing as Kenya is a regional hub economically and socio-politically. So some donor nations will take advantage of ICT vulnerability.
Secondly cyber-terrorism is another possible agenda. Terrorists might be looking at cyber attacks as a remote way of causing damage since their physical presence might not be as efficient. Alternatively with terrorism, cyber attacks can assist them with identity theft which then enables them to enter the country undetected to carry out attacks from close range
Additionally we have financial crimes such as bank robbery where thieves might opt for a cyber attacks to avoid the possibility of being captured or killed by police. And with these types of cyber crime, there is motivation. Take for instance if a hacker is able to steal a billion shillings from a bank, yet the Kenya Information and Communications Act sets a penalty of Sh5 million for tampering with a computer, the return is incentive enough to lead hackers to attack financial institutions.
Q. Given the scope of vulnerabilities associated with fiber optic connectivity and digitization isn't it then advantage for the Government of Kenya to remain analogue in the sense that sensitive information stays offline?
If a file is tampered with offline it is difficult to trace any alterations or actions conducted with a file for instance. Somebody can make a copy of that file and nobody would ever know. But online if somebody tampers with that file there is a trail to follow. Going digital is an advantage in the sense that you have an audit trail of everything that has ever happened to that file. Additionally you have multiple copies of that file for storage and retrieval. With analogue storage, something as simple as a fire can cause irreparable damage.
If we look at ease of delivering services to people as mandated by the constitution regardless of their location there are obvious hindrances the government faces. Telecomm companies are also concentrated in cities and towns because setting up infrastructure in far-flung areas has little to no return on investment. As government, setting up a functional ICT sector means delivering some essential services to remote areas can be easily realized.
Q. Is there a particular aspect of cyber security that presents the greatest challenge with regards to enabling efficient protection?
Around the world ICT experts will tell you the people part is the biggest impediment to ensuring cyber security. There are technologies to tell you who logged in to a system and who tampered with what files and these can be restricted through setting up processes and creating accessibility barriers. But the human being is a much harder security threat to deal with. Look at the situation with the former CIA agent Edward Snowden who gave out sensitive information on the US government operations in several places across the world. This is a perfect example why to solve the challenge of human beings and their role in the implementation of cyber security is a problem.
Q. Coming back to the cyber security strategy, one of the objectives is to build national capacity through creation of awareness and developing Kenya's workforce to address cyber security needs. At present what would you say is the level of awareness on cyber security practices?
At the moment that awareness is very low and this is evident in some online practices of public sector workforce. People have no idea of the implication of the information they post on social media. I see people post a lot of personal information on Facebook Twitter and other social media platforms. Some of these platforms are indirectly owned by security agencies which use information posted on these platforms to profile people. They don't even need direct interaction anymore. They collate information posted on several platforms which is why you find that some types of crimes in places like the USA are easy to fight.
In Kenya generally, based on security assessments I have conducted, the best person to source information from is always the secretary. If you send an email to your boss for instance, chances are high that the person replying to it is the secretary because the boss has allowed the secretary to have the password which at times is written on a sticky note stuck to the computer. And that password is quite possibly what is being used for online banking, so if you know the account he holds you can now use that to commit crime. So the level of awareness is very low, but that is something outlined in the master plan as a factor of great concern; both technical and basic cyber security awareness for users.
Q. Still on the cyber security strategy national building, the government intends to come up with a curriculum for tertiary institutions to teach awareness, but what is being done to cater to adolescents and teenagers in primary and secondary schools who are considered as minors but who are accessing the internet just as easily?
Out of the master plan set to be launched before the end of this month, there is a whole chapter dedicated to creating awareness across different tiers of citizens and that is covered. In fact one of my arguments has been that the younger age groups need the most awareness because they are the ones growing up with the emerging technologies. I have a 12-year-old nephew who once called me to ask how to root a mobile phone. The phrase root is a heavy term which according to hackers means taking control of a system. So the young ICT users are the group to target and the ideas is to make them ethical users from the word go so they can make a career out of ICT.
Q. Given that in the course of creating public awareness on cyber security the government runs the risks of encouraging hackers to develop new methods of infiltrating systems, are there measures put in place to mitigate a situation where the government is always playing catch up to hackers?
In cyber security there is a term called 'Zero Day' and this means that a cyber attack is a new one that has never been documented. Dealing with zero day is the biggest challenge around the world. So as much as you create awareness, you also have to constantly monitor systems for purposes of mitigation as I had mentioned earlier. Safaricom for instance has a very good awareness campaign with M - Pesa which is 'Pin Yako, Siri Yako' - Your pin is your secret. That is one aspect of creating awareness. But in the meantime, there are specialists running analysis for the critical systems and it is up to you to be on top of your game and teach them how to deal with zero day. Attacks are becoming sophisticated by the day and dealing with them presents a challenge.
The beauty of it all is that there is already a community out there that is engaged in doing the right thing just as there is a community that is actively engaged n doing the wrong thing. For me, I belong in worldwide forums where ICT related activities are documented. With such forums a member who is in charge of critical systems can learn analysis and implement protocol to secure the system.
With security you don't want a technician who is a graduate but is reactive and not proactive. In fact you want someone who is actively researching and that is something we've put emphasis on in the master plan so that at any particular time we are in the know on what's going on.
The other thing we have in the master plan is provisions to acquire some softwares that when run can monitor critical systems for suspicious activity, and once that is detected, we need people who understand what these suspicious activity is likely to affect and implement appropriate counter measures. Continuous system monitoring must happen because the bad guys are always reinventing themselves.
Q. The cyber security strategic talks of government partnering with other stakeholders in the effort of ensuring ICT security. Who are these stakeholders the government wants to engage in achieving secure ICT manpower and infrastructure?
One of the biggest problems you can ever have with cyber security is operating in isolation. If you look at Kenya for instance, critical telecommunications infrastructure such as landing stations and fiber optics are privately owned. So assuming you have an attack of high magnitude, who do you call to switch off internet and other vulnerable services? It's the Safaricom, Airtel Yu and other service providers.
A perfect example right now is mobile money crimes. The CID does not have the data. They get their information from the telecoms so that collaboration must exist. To fight cyber crime, all stakeholders must all engage each other so that each party's role is identified. Even Kenya Power is an important partner in this venture. If there is a crime and forensic activities are dependent on power it is up to them to ensure power stays on so that evidence is not adulterated. All stakeholders are very important.
We also want to work with the judiciary because we discovered that judges to not have capacity to prosecute cyber crime or make them admissible in court. So we want to have an awareness workshop with them to show them what forms cyber crime takes but in a controlled environment to help them understand. We also need to bring police up to speed because there was a time police themselves were not aware of cyber crime. So those are the stakeholders we're talking about. We need the legal framework, and when need the academia because institutions of learning will create this capacity. We also need the media because they can assist with providing a broad audience base for the awareness campaigns. We need to win the war on cyber crime together.
Q. On the subject of creating awareness in the judiciary as a stakeholder, are there currently legislations that adequately cater to protecting cyber security in the country.
The Kenya Information Communication defines cyber crime as "computer crime" which is tampering with an institution's network whether public or private and stipulates a penalty of Sh5 million. So at the very minimum there is a definition of cyber crime in the Kenyan law.
Q. You have mentioned at length cyber security policies that cater to the soft data of critical systems. Does the strategy take into considerations cyber intrusions of a more physical nature such as floods, fires and earthquakes?
When an organization has a cyber security culture, they revert to the ISO 27001 standard out of which there is the continuity of operations (COO). The COO certification means that an organization can operate to an acceptable level regardless of prevailing hindrances.
For commercial banks to have visa for instance they have to prove that they can operate under several adverse conditions. The guiding principle for organizations with obligations to their clients is whether they can afford downtime. With continuity of operation disasters such as flooding have to be taken into consideration. There is for instance the practice or setting up data center and disaster recovery center which are off-site and in various locations to avoid calamity to both. Companies have gone even further and utilize cloud services where you subscribe to remote storage services. This has the advantage of even creating redundancy through multiple replications of data so that it is easily available on demand.
So for critical infrastructure you always need to have a plan in case things go wrong.
Q. You mentioned forums where participants are positively engaging in ensuring cyber security by demonstrating how critical systems are penetrated but in a controlled environment. Are there provisions within either the cyber security strategy or master plan for engaging some of them participants in formulation of national cyber security protocols?
I'll put it this way, with cyber security, the line between ethical and unethical practices is the challenge with government as with any other institution, if you are to allow anybody access to your system, that is the risk you will have to take. They can either guarantee your security or bring you down. How to balance that is the question. But as government, we need to create capacity where we can vet some of these people and bring them in and allow them to assist in securing critical systems.
Q. In your opinion, what is an absolute necessity for an individual or an organization to do to as a way of ensuring a measure of cyber security for their ICT systems?
The simple answer is best practice. Going back to my earlier example, when building a house, you know that you need to draw up a plan for how the house will look like. In the same way, when you buy a laptop you know that you need to secure it with a password, and not a password that is easy to guess. For a critical system think of what kind of password you should put. If the same system is to be accessed within the organisation, why would you put a public access address?
Some best practices can go a long way in ensuring that the security of the organisation is guaranteed. I have done assessments where it takes less than two minutes to infiltrate the systems because they didn't incorporate best practice. Every device that is manufactured has a default password even something as small as a mobile phone. You would be surprised at how many people haven't changed the default password.
So you find that a big organisation with a perfect network system is still running critical devices with default settings because of lack of best practice. If you move into a new house that was previously occupied, if you need to guarantee your security, change the locks. You can't use the old padlocks because the previous occupant might have a spare key. Best practice goes a long way in ensuring cyber security.